Multifunction Printers — The Forgotten Security Risk?

eweekhickins writes to share an article in eWeek highlighting the forgotten risks that a multifunction printer could possibly offer. Brendan O'Connor first called attention to the vulnerabilities of these new devices at a Black Hat talk in '06 and warns that these are no longer "dumb" machine sitting in the corner and should be treated with their own respective security strategy. "During his Black Hat presentation in 2006, O'Connor picked apart the security model of a Xerox WorkCentre MFP, showing how the device operated more like a low-end server or workstation than a copier or printer--complete with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. He showed how the authentication on the device's Web interface can be easily bypassed to launch commands to completely hijack a new Xerox WorkCentre machine."

First virus

[IdeaMan]

Wasn't one of the first Mac viruses spread by a mac printer?

Re:First virus

[vux984]

Wasn't one of the first Mac viruses spread by a mac printer?

There was a famous trojan that infected apple laser printers via postscript... but I don't think it 'spread' itself so it wasn't really a virus, nor would it qualify as a Mac virus because it didn't infect Macs, just some Apple Printers.

In any case I think it just lived on the printer. Although one of its effects was to change the password, something that could only be done a limited number of times for some demented reason, which meant eventually the printer would lock you out, and you couldn't reset the password without swapping in a bios or pram, or something along those lines.

Nonetheless, yes, laserprinters have been 'servers' in their own right for over 20 years, so this is hardly news. The same is true of NAS, Routers, managed switched, and so forth. And as for an 'IT security strategy" really, what can you do? Be aware its possible, and limit your attack surfaces to a level appropriate to the risk of them being compromised and the level of damage they could do if compromised.

For most of us, "Don't put your printer on the internet" is probably sufficient"IT security strategy"... although for higher security installations, something more detailed would be required.

Re:First virus

[arth1]

Dunno if it was the first network printer hack, but I remember having great fun telnetting to our networked printers more than a decade ago, making the tiny LCD display say "Insert Coin".

Re:First virus

"Dunno if it was the first network printer hack, but I remember having great fun telnetting to our networked printers more than a decade ago, making the tiny LCD display say "Insert Coin"."

Fun for you, sure. YOU didn't have to clean the coins out of the gears.

So what's the potential threat?

[daveywest]

Are we going to have a bot net of machines that print our spam for us?

Re:So what's the potential threat?

[Adriax]

Fear the Goatse printer virus.

Re:So what's the potential threat?

[KublaiKhan]

More evil would be a system that forwards the documents printed to another location....

Re:So what's the potential threat?

[AuMatar]

No, they print out a ransom note, demanding $1,000,000,000 or they'll print out all our spam. Management will pay, because at the current cost of ink the billion is cheap.

Fool the black hats!

[EmbeddedJanitor]

Remove the toner from the printer and you only get white hats.

Weakest Link

[ookabooka]

This is actually a very good point, a network is only as strong as its weakest link (or firewall). While each machine on a network may be secure, hijacking a printer can do the same amount of damage as hacking any other machine on the network (save actual servers w/ data on them). Imagine hijacking a printer on a network and then having it send out spam (hey, its on superreliabledomain.com, no reason to hastily toss it in the spam bucket), or arp poisoning to listen in on other traffic on the network it should have no business with. Any device connected to a network should meet a certain standard of security, it only takes one weak link to really mess things up.

Perhaps I'm jaded, but is this news?

[zappepcs]

As noted, this has been covered before. If you are not doing your best to segment your network for security reasons, then you probably deserve to learn about this one the hard way. EVERYTHING now has the smarts/hardware to launch/spread/spawn a virus attack on your network. Every day I get one or two messages about this and mobile computing being the 'number one' threat to our networks.

FerCrissakes, every USB stick has that ability if you have not done your work/research etc.

But still, by far, the most dangerous thing on your network is the end user(s)...

That's life, it's the way the cookie crumbles, and it's how you're going to lose brownie points with the PHB at work.

The cleverest hacks are in front of your nose

[postbigbang]

Lexmark, Xerox, the list goes on. How about a Linksys WRT54G? How many devices out there can be easily rooted and owned? The list is endless. Who would suspect a logon attempt or a slow port scan from a printer, or a volume-page scanner?

Maybe your VoIP system's very happy you linked it to your Active Directory with an administrative logon. Seen any weird LDAP requests recently? Had to reboot your RIP engine recently? Surprise!

Diligence is its own reward.

Re:ABout time

[mpapet]

I'm calling you on this because I think it's very improbable without a laptop in the physical location. Sure it broadcasts like crazy in a LAN, but there's a HUGE leap from getting on the printer to turning it into your bot from a remote destination. Did the print server have a public IP?

Some details please.

How about physical document security instead?

[Radon360]

Let's work with the concept that a multifunction machine get pwned for a moment. Instead of all the ideas of using it to root around on your servers, or join a botnet, what if the vulnerability did something as innocuous as FTP/SMTP (or even fax) images of scanned/printed documents to a server on the outside world?

Get a machine in a place that does financial or medical records and now you have a steady stream of confidential information going somewhere in the form of soc. security numbers, bank account numbers, etc. all in scanned form.

Since the machine probably already does this on a regular basis under normal use, it's possible that such an exploit could continue for a while before it would ever be discovered.

At my work (a bank)...

[netsavior]

We have a $45,000 high quality high volume scan/printer that is a paperweight.

They purchased it for scanning confidential documents. The hitch is that there is only 1 way to get documents off of this printer: A public non-protected network share... This is basically against the law for a bank.

I suggested that I could set up a private network and they could securely upload docs to the proper place with the right security, however that plan was nixed for being "non-standard"
The result is that now they consult me when buying a pencil sharpener because they don't know how it will affect network security.

Re:ABout time

[GNU(slash)Nickname]

I doubt the banks DNS is going to give the laptop an IP Yep, pretty sure you're right about that.